cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

ENS Expert rule problem

Jump to solution

Dear all,

I want to set an expert rule on ENS Exploit prevention module thru EPO, i'm looking for a rule that allow me to take some actions over some files with their hash, searching in manuals, i got some syntax like this:

 

Rule {
Process {
Include OBJECT_NAME {
-v * 
}
}
Executable {
Include -hash "9f06a55ab589386c3ef4a437d9b4ac2b"
-access "CREATE READ EXECUTE"
}
}

----------------------

This hash is just of a test file that i created. The thing is that when the policy is obtained by the endpoint, it just doesn´t work, when i check it locally it says that there is an error:

 

clipboard_image_0.png

 

And when i check the error log:

08/08/2019 11:29:03.274 AM mfeesp(53096.53512) ApBl.BOPAP.Error (ApState.cpp:256): Syntax error: Unknown command
while executing
"Executable {
Include -hash "9f06a55ab589386c3ef4a437d9b4ac2b" -access "CREATE READ EXECUTE"
}"
invoked from within
"Rule -id "20000" { Reaction BLOCK Group "ExPExpertRules" Description "ExpertRuleChecker"
Process {
Include OBJECT_NAME {
-v **
}
}
Executab ..."
invoked from within
"Policy {Rule -id "20000" { Reaction BLOCK Group "ExPExpertRules" Description "ExpertRuleChecker"
Process {
Include OBJECT_NAME {
-v **
}
}
..."LastErr 0x000010dd The operation identifier is not valid.
08/08/2019 11:29:03.277 AM MFEConsole(60976.41508) MFEConsole.MFEConsole.Error (mfeux_extension.cpp:2150): BOPAP - invokeMethod ( [64537280,"CheckContent",{"RuleContent":"10.5.3.3134Policy {Rule -id \"20000\" { Reaction BLOCK Group \"ExPExpertRules\" Description \"ExpertRuleChecker\"\n\tProcess {\n\t\tInclude OBJECT_NAME {\n\t\t\t-v ** \n\t\t}\n\t}\n\tExecutable {\n\t\tInclude -hash \"9f06a55ab589386c3ef4a437d9b4ac2b\" -access \"CREATE READ EXECUTE\"\n\t\t}\n\t}\n\n\n}","ForceUpdate":true}]) : operation returned non-success: BL_ERROR_FAILED_REGISTRATION

-------------------------------------

I don't know exactly what can be bad, i tried with other different syntax, but i got the same error. The final goal is have a easy way to build rules bases on IoC, when the list is too large to use the conventional way to make rules (actually, i don't even know if its possible make an expert rule with actions for a hash list when any process is executed). Hope you can help me.

Best regards.

1 Solution

Accepted Solutions
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: ENS Expert rule problem

Jump to solution

Yup.. now that I look at it I see the missing one.  🙂

Try this:

 

Rule {
Process {
Include OBJECT_NAME {
-v * 
}
}
Target {

Match FILE {

Include MD5 {

-v "9f06a55ab589386c3ef4a437d9b4ac2a"
-v "9f06a55ab589386c3ef4a437d9b4ac2b"
-v "9f06a55ab589386c3ef4a437d9b4ac2c"
-v "9f06a55ab589386c3ef4a437d9b4ac2d"
-v "9f06a55ab589386c3ef4a437d9b4ac2e"
-v "9f06a55ab589386c3ef4a437d9b4ac2f"
-v "9f06a55ab589386c3ef4a437d9b4ac2g"

}
Include -access "CREATE READ EXECUTE"
}
}

}

 

 

 

 

4 Replies
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: ENS Expert rule problem

Jump to solution

Try  this.  I haven't checked it but I think that should work.  I don't really do hash rules, but I think this covers it. 

 

Rule {
Process {
Include OBJECT_NAME {
-v * 
}
}
Target {

Match FILE {

Include MD5 { -v "9f06a55ab589386c3ef4a437d9b4ac2b"}
Include -access "CREATE READ EXECUTE"
}
}

If you are concerned about specific attacks, I would generally recommend focusing on the IOA rather than the IOC, as you won't have to worry about keeping up with a hash list.  Just block the behavior.  🙂

Re: ENS Expert rule problem

Jump to solution

Thanks! 😀, it worked well, I just needed to add 1 more close brace. Do you know if I can add more hash codes to the syntax?.

 

Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: ENS Expert rule problem

Jump to solution

Yup.. now that I look at it I see the missing one.  🙂

Try this:

 

Rule {
Process {
Include OBJECT_NAME {
-v * 
}
}
Target {

Match FILE {

Include MD5 {

-v "9f06a55ab589386c3ef4a437d9b4ac2a"
-v "9f06a55ab589386c3ef4a437d9b4ac2b"
-v "9f06a55ab589386c3ef4a437d9b4ac2c"
-v "9f06a55ab589386c3ef4a437d9b4ac2d"
-v "9f06a55ab589386c3ef4a437d9b4ac2e"
-v "9f06a55ab589386c3ef4a437d9b4ac2f"
-v "9f06a55ab589386c3ef4a437d9b4ac2g"

}
Include -access "CREATE READ EXECUTE"
}
}

}

 

 

 

 

Re: ENS Expert rule problem

Jump to solution

I tried in the same way and it worked fine!, now i think that i have a better understading of syntax when you are building the rule, thanks for all!.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community